Archive

Documentation
This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_botnet.htm
Overview
Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses (the blacklist), and then logs or blocks any suspicious activity.
Prerequisite
The ASA must be running minimum 8.2 code to be able to configure botnet feature.
ASA-5505# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(5)
…….
Botnet license must be installed on the ASA

Once license expires filtering will not work until license is renewed.
Limitations
Botnet Traffic Filter does not share any information between Failover pairs.
Failovers or Reboots require a re-download of the Dynamic Database.
Currently there is no support for IPV6.
Step by Step Configuration

1. Enable DNS client on ASA
This steps is required to allow it to resolve the address of CSIO’s updater service, so the dynamic filter update client to fetch updates.

Manual Black List:
This is traffic to or from an IP address that is considered to be malicious. This IP address can be either an IP address/network entry in the dynamic blacklist or administrator configured blacklist, or it can be a snooped IP address that was found in a DNS reply for a blacklisted domain.

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp5787165
Show commands

show dynamic-filter data
dynamic-filter database find <string>
show dynamic-filter reports top botnet-sites
show dynamic-filter reports top infected-hosts
show dynamic-filter reports top botnet-ports

clear dynamic-filter statistics
The dynamic filter statistics can be cleared at any time with this command. To clear the statistics for a certain interface use the optional interface nameif keyword for the command.

clear dynamic-filter reports top [botnet-sites | botnet-ports | infected-hosts]
This command will reset all statistics back to 0 and remove all entries from the reports.

clear dynamic-filter dns-snoop
This command deletes all of the entries from the DNSRC. DNS reverse Cache Information.

• Configure all inter-switch links on SW2, SW3, and SW4 to be in dynamic
auto state.
• Configure all inter-switch links on SW1 to be in dynamic desirable state.
• Configure SW2 as a VTP server in the domain VTP.
• Configure SW1, SW3, and SW4 as VTP clients in the domain VTP.